[PATCH 0/5] staging: rtl8723bs: fix multiple OOB reads in IE and frame parsing

From: Muhammad Bilal

Date: Sat Jul 18 2026 - 14:55:27 EST


This series fixes five out-of-bounds read and buffer overflow bugs
in the rtl8723bs staging driver where length or offset fields from
untrusted wireless frames are used without validating that enough
bytes remain in the buffer.

Patches 1-4 are reachable remotely through crafted management frames
(beacons, probe responses, scan results). Patch 5 is reachable
locally via raw frame injection on a monitor-mode interface.

Impact:

1/5 OOB read of IE length byte and OUI data in rtw_get_wps_ie()
2/5 OOB read plus stack buffer overflow via attacker-controlled
memcpy length in rtw_get_wps_attr()
3/5 OOB read of action frame category and action bytes
4/5 OOB read of next-IE length in the non-matching fallthrough path
5/5 skb->len underflow after unchecked skb_pull in monitor TX path

All fixes are single-hunk bounds checks following the same pattern
already used in the sibling functions in these files.

Tested: CONFIG_RTL8723BS=m with CONFIG_KASAN=y, checkpatch clean.

Muhammad Bilal (5):
staging: rtl8723bs: fix OOB read in rtw_get_wps_ie()
staging: rtl8723bs: fix OOB read / stack overflow in
rtw_get_wps_attr()
staging: rtl8723bs: fix OOB read in rtw_action_frame_parse()
staging: rtl8723bs: fix OOB read in rtw_restruct_wmm_ie()
staging: rtl8723bs: fix skb->len underflow in monitor TX path

drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++++-
drivers/staging/rtl8723bs/core/rtw_mlme.c | 3 +++
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 13 ++++++++++++-
3 files changed, 29 insertions(+), 2 deletions(-)

--
2.55.0